RE: Evading IDS?

["Golomb, Gary" <GGolomb () enterasys com>]

As far as already available tools go, use fragroute with the
PAWS/wrapped sequencing chaffing options. Don't bother with the
fragmentation options - you'll probably just run into the same problem.
This could be used together with overlapping and out-of-order segments
with some lapses in timing. (The fragroute man page is well written and
covers all this stuff.) The only caveat is that you'll need to know how
the end host will handle reassembly of your packets. A good way to test
is to set up fragroute, send completely benign/normal requests though
it, and see if you get replies. In reality, you'll get limited mileage
with application-layer encoding against most IDSs, *especially* when it
comes to http. (Not that it's completely ineffective. There are just
easier alternatives available IMO.) 

-gary

> -----Original Message From: Mark G. Spencer 
>
> I've come across what I assume is an IDS during some network
> reconnaissance.
> I am able to run nmap (connect scan, default ports) against the entire
> target class C in question without any problems, but when I run Nikto
> against any of the webservers, Nikto output dies just after the
> trace/track
> method information and I am then unable to access anything on the
target
> class C for a set period of time - at least fifteen minutes.
>
> If I move to a different netblock, I can access the target class C
again
> ..
> well, until I run Nikto.  ;)
>
> It looks like all the routing and VPN gear on the target class C is
Cisco
> based, so I'll make an assumption for now that the IDS is also Cisco.
>
> Any advice on how to evade the IDS?  I know Nessus and Nikto offer a
> variety
> of IDS evasion techniques, but am I correct in assuming that a vendor
such
> as Cisco (or any large vendor) has taken well-known evasion techniques
> into
> account?  I will try different combinations of evasion techniques
today
> and
> hopefully won't run out of open class C IP addresses on my network as
I
> continue getting 15min+ blacklisted.
>
> Thanks for the advice,
>
> Mark
------------------------------------------------------------------------
--
This space for rent. Only two spots left, so hurry! Have you ad placed
in all my emails for one low monthly fee! Credit Card payments now
accepted. 
------------------------------------------------------------------------
--


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------